Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-90273 | VRAU-VA-000640 | SV-100923r1_rule | Medium |
Description |
---|
Class 3 PKI certificates are used for servers and software signing rather than for identifying individuals. Class 4 certificates are used for business-to-business transactions. Utilizing unapproved certificates not issued or approved by DoD or CNS creates an integrity risk. The vAMI must utilize approved DoD or CNS Class 3 or Class 4 certificates for software signing and business-to-business transactions. |
STIG | Date |
---|---|
VMW vRealize Automation 7.x vAMI Security Technical Implementation Guide | 2018-10-12 |
Check Text ( C-89965r1_chk ) |
---|
Interview the ISSO and/or the SA. Determine if the vAMI is using PKI Class 3 or Class 4 certificates. If the vAMI is using PKI Class 3 or Class 4 certificates, and the certificates are not DoD- or CNSS-approved, this is a finding. |
Fix Text (F-97015r1_fix) |
---|
If the vAMI is using PKI Class 3 or Class 4 certificates, install certificates that are DoD or CNSS approved. |